b'                     UNITED STATES RAILROAD RETIREMENT BOARD\n\n                                 OFFICE OF INSPECTOR GENERAL\n\n\n\n                       Fiscal Year 2001 Financial Statement Audit\n\n                                 Letter to Management\n\n                           Report No. 02-07, February 8, 2002\n\n\n\nTo the Board Members:\n\nWe have audited the accompanying consolidated balance sheet of the Railroad\nRetirement Board (RRB) for the fiscal years ended September 30, 2001 and 2000, and the\nrelated: consolidated statements of net cost, changes in net position, budgetary resources,\nfinancing and custodial activity (hereinafter referred to as the \xe2\x80\x9cprincipal financial\nstatements\xe2\x80\x9d) for the years then ended and have issued our report thereon dated February\n8, 2002. We conducted our audit in accordance with: generally accepted auditing\nstandards; the standards applicable to financial audits contained in Government Auditing\nStandards, issued by the Comptroller General of the United States; and, Office of\nManagement and Budget (OMB) Bulletin No. 01-02, "Audit Requirements for Federal\nFinancial Statements."\n\nIn planning and performing this audit we considered internal control in order to determine\nour auditing procedures for the purpose of issuing our report on the RRB\xe2\x80\x99s principal\nfinancial statements and not to provide assurance on internal control. The maintenance of\nadequate internal control designed to fulfill the RRB\xe2\x80\x99s control objectives is the responsibility\nof management. Because of inherent limitations in any system of internal control, errors or\nirregularities may nevertheless occur and not be detected. Also, controls found to be\nfunctioning at a point in time may later be found deficient because of the performance of\nthose responsible for applying them. There can be no assurance that controls currently in\nexistence will prove to be adequate in the future as changes take place in the organization.\n\nDuring our audit of the RRB\xe2\x80\x99s principal financial statements, we noted certain matters\ninvolving internal control and its operations that we consider to be reportable conditions\nunder standards established by OMB Bulletin 01-02. Reportable conditions are matters\ncoming to our attention that, in our judgment, relate to significant deficiencies in the design\nor operation of internal control and could adversely affect the RRB\xe2\x80\x99s ability to record,\nprocess, summarize, and report financial data consistent with the assertions of\nmanagement in the financial statements. Our consideration of internal control would not\nnecessarily disclose all matters in internal control that might be reportable conditions.\n\n\n\n\n844 N RUSH STREET CHICAGO IL 60611-2092   Printed on recycled paper with soy ink\n\x0cLetter to Management                                                            Page 2\n\n\nA material weakness is a reportable condition in which the design or operation of internal\ncontrol does not reduce to a relatively low level the risk that errors or irregularities in\namounts that would be material to the RRB\xe2\x80\x99s financial statements may occur and not be\ndetected within a timely period by employees in the normal course of performing their\nassigned functions.\n\nIn our report on internal control, dated February 8, 2002, we reported material weaknesses\nin the RRB\xe2\x80\x99s overall control environment and system of information security, and a\nreportable condition related to debt recovery accounting. During our audit, we also noted\nother matters involving the RRB\xe2\x80\x99s internal control structure and its operation. The details of\nour findings concerning internal control are presented in the attached summary\nmemorandum. However, neither this letter, nor the attached memorandum, modifies our\nreport on the financial statements dated February 8, 2002, referred to in the first paragraph\nof this letter.\n\nOur work was not conducted for the primary purpose of making detailed recommendations\nabout the RRB\xe2\x80\x99s system of internal control. Had we done so, other matters might have\ncome to our attention that we would have reported to you.\n\nThis report is intended solely for the information and use of the management of the RRB,\nOMB, and Congress, and is not intended to be and should not be used by anyone other\nthan these specified parties.\n\nWe wish to express our appreciation for the many courtesies and cooperation extended to\nus during the audit.\n\n\n                                                  Very truly yours,\n\n\n\n\n                                                  Martin J. Dickman\n                                                  Inspector General\n\n                                                  February 8, 2002\n\x0cLetter to Management                                                         Page 3\n                                                                                  Attachment\n                        MEMORANDUM ON INTERNAL CONTROL\n\n\nMATERIAL WEAKNESSES\n\nOverall Control Environment\n\nThe RRB\xe2\x80\x99s overall control environment is not adequate to ensure that agency financial\nstatements will be free of material misstatements and prepared in accordance with\napplicable guidance. As a result, each financial statement audit since FY 1993 has cited\nthe agency for a material weakness in this area.\n\nWe believe that the RRB\xe2\x80\x99s present administrative structure is the primary cause of this\ninternal control weakness. Management in the agency\xe2\x80\x99s various operating components\ndoes not seek assistance across organizational lines to resolve problems related to\nfinancial accounting and reporting when they arise. As in prior audits, we continue to\nobserve that the RRB\xe2\x80\x99s internal control environment is focused on control objectives and\ntechniques designed to meet the organizational responsibilities of each of the individual\noperating units, rather than the overall objectives of the RRB. As a result, the agency has\nexperienced difficulties in resolving financial accounting and reporting issues that require\ncross-organizational cooperation.\n\nAgency management believes that previous reorganizations and the amplified role of the\nexecutive committee have eliminated the material weakness. The RRB did not include our\nfinding concerning the overall control environment as a material weakness in the\nstatements of assurance that were issued pursuant to the Federal Managers\xe2\x80\x99 Financial\nIntegrity Act, for FYs 1997, 1998, 1999, 2000 or 2001.\n\nThe OIG believes the overall control environment continues to be a material weakness.\nThe conditions that led to the original finding continue to exist and have an adverse effect\non the agency\xe2\x80\x99s ability to meet its internal control objectives related to financial statement\nreporting. Although the RRB has implemented changes to the agency\xe2\x80\x99s organizational\nstructure, we have not observed a related change in the agency\xe2\x80\x99s organizational culture.\n\nInformation Security\n\nDuring FY 2001, the OIG conducted a review of information security at the RRB pursuant to\nthe requirements of the Government Information Security Reform Act. Our review\ndisclosed weaknesses in most areas of the RRB\xe2\x80\x99s information security program.\nSignificant deficiencies in program management and access controls make the agency\xe2\x80\x99s\ninformation security program a source of material weakness in internal control over\nfinancial reporting.\n\nAccess controls cannot be considered fully effective due primarily to inadequacies in\npassword management. Our review identified numerous password management\nweaknesses in the mainframe, local area and wide area computing environments. The\nRRB\xe2\x80\x99s most notable problem is the agency\xe2\x80\x99s inability to police and enforce its recently\n\x0cLetter to Management                                                      Page 4\nMemorandum On Internal Control                                            Attachment\n\nadopted policy requiring the use of more complex password configurations. Other\nweaknesses observed during this review included: passwords that never expire, inactive,\nduplicate accounts, separated employees and former contractors whose information\nsystem privileges had not been revoked.\n\nThe overall effectiveness of the RRB\xe2\x80\x99s information security program has been undermined\nby a lack of training among key personnel. Employees with decision-making responsibility\nfor information security have not had adequate formal training in its theory, principles and\npractice. In addition, the information security program lacks a strong security framework\nwith a central management focal point. These two deficiencies are the underlying cause of\nmany other control problems identified during the audit.\n\nOur report also cites the agency for:\n\n   \xe2\x80\xa2   weaknesses in the security planning and evaluation process;\n   \xe2\x80\xa2\t inadequacies in the design of controls intended to restrict individual privileges to the\n      minimum required by their employment; and\n   \xe2\x80\xa2   a lack of documentation for some security-related activities.\n\nThe OIG reported its assessment to agency management in the form of an executive\nsummary dated September 5, 2001. The OIG\xe2\x80\x99s detailed findings were published in final\nform in OIG Audit Report Number 02-04 dated February 2, 2002. In that report, we made\nspecific recommendations for corrective action to strengthen controls in the areas of\nweakness identified by the audit. In their response, the Bureau of Information Services\nconcurred with most of the OIG\xe2\x80\x99s recommendations, and stated that many had already\nbeen implemented. However, the agency is still developing target dates for remedial\naction in some critical areas.\n\x0cLetter to Management                                                     Page 5\nMemorandum On Internal Control                                           Attachment\n\nREPORTABLE CONDITION\n\nAccounting for Benefit Overpayment Recoveries\n\nDuring FY 2000, the OIG identified weaknesses in internal control over debt recovery\ntransactions that adversely impact the ability of the agency to ensure the reliability of\nfinancial reporting and the safeguarding of accounts receivable. We identified errors in the\nrecording of debt recovery transactions that included:\n\n   \xe2\x80\xa2   returned benefit payments that had not been credited to debtor accounts;\n   \xe2\x80\xa2\t benefit payments that had been erroneously credited to debtor accounts as\n      recoveries;\n   \xe2\x80\xa2   delayed recording of certain RUIA debt recoveries; and\n\nAn examination of these errors identified weaknesses in the related internal controls. The\npresent internal control structure, as it relates to debt recovery accounting, does not:\n\n   \xe2\x80\xa2\t consistently provide for the establishment, review and reconciliation of general\n      ledger controlling accounts for benefit payment activity;\n   \xe2\x80\xa2   include review of all systems output; and\n   \xe2\x80\xa2   prevent or detect certain unauthorized and/or unsupported transactions.\n\nIn addition, the present internal control environment does not provide management with\nsufficient information concerning the number and value of non-conforming transactions to\nprovide the basis for an evaluation of potential financial impact.\n\nThese weaknesses in internal control were brought to management\xe2\x80\x99s attention in the Office\nof Inspector General\xe2\x80\x99s audit report, #00-16, dated September 29, 2000. Agency\nmanagement has implemented some of the OIG\xe2\x80\x99s recommendations for corrective action.\nHowever, they have not taken the recommended action in several key areas, including the\nimplementation of controlling accounts for benefit payments, citing the inability of existing\nbenefit payment sub-systems to support a cost-effective control and reconciliation process.\n\x0cLetter to Management                                                    Page 6\nMemorandum On Internal Control                                          Attachment\n\nOTHER MATTERS INVOLVING INTERNAL CONTROL\n\nProblem Resolution Reporting\n\nLogs used to track user reports of mainframe computer problems do not provide\nmanagement in the Bureau of Information Services (BIS) with an adequate basis for\nassessing the status or timeliness of problem resolution.\n\nBIS maintains logs that record problems with the RRB\xe2\x80\x99s mainframe system as reported by\nusers throughout the agency. Those logs record the problem reported, the date of the\nreport and whether or not the problem has been resolved. However, the log does not\nidentify when the problem was resolved and, as a result, does not provide a basis for\nassessing the timeliness of problem resolution. In addition, detailed records that support\nproblem resolution are not always consistent with the status reported in the summary log.\n\nWe recommend that BIS modify the problem logs to include the date that each reported\nmainframe computer problem is resolved and develop controls to ensure the consistency\nof summary and detail records that support the problem resolution process. (Report\nRecommendation #00-4)\n\nPayroll Adjustments\n\nRetroactive payroll adjustments are submitted to BFO on form G-56a. BFO personnel\nenter the indicated corrections into the Tesseract system, the mainframe application that\nsupports payroll processing. The data entered is not reviewed for accuracy and, as a\nresult, errors may occur and not be detected in time to prevent payment errors.\n\nWe recommend that BFO develop a control to ensure the accuracy of retroactive payroll\nadjustments. (Report Recommendation #01-1)\n\nCost of Living Increase for Grade/Pay Retention Employees\n\nThe salaries of certain employees are not mechanically updated for annual cost-of-living\nincreases. These employees have retained a salary commensurate with a higher-paid,\npreviously occupied position than the one they presently hold.\n\nUpdated salaries for these employees are manually calculated and entered into the\nTesseract system, the mainframe application that supports payroll processing. The data\nentered is not reviewed for accuracy and, as a result, errors may occur and not be detected\nin time to prevent payment errors.\n\nWe recommend that the Bureau of Human Resources develop a control to ensure the\naccuracy of manual updates to the Tesseract system. (Report Recommendation #01-2)\n\x0cLetter to Management                                                Page 7\n                                                                  Attachment\n\n         STATUS OF PRIOR AND CURRENT YEAR RECOMMENDATIONS\n\n\n\nWe have reviewed the implementation of recommendations resulting from prior audits of\nthe RRB\xe2\x80\x99s financial statements. The table below presents a summary of the status of\nrecommendations pending when we issued our \xe2\x80\x9cLetter to Management\xe2\x80\x9d dated February 8,\n2002, in connection with our audit of the RRB\xe2\x80\x99s FY 2001 financial statements. The\nadditional recommendations resulting from our audit of the agency\xe2\x80\x99s FY 2001 financial\nstatements are also included.\n\n\n                                             #     Implemented       In      Declined\n                                                                  Progress\n\nBUREAU OF FISCAL OPERATIONS\n\n    Payroll Adjustments                   01-1                       X\n\nBUREAU OF HUMAN RESOURCES\n\n    Cost of Living Adjustments            01-2                       X\n\n BUREAU OF INFORMATION SERVICES\n\n     Project Management reporting         00-2           X\n\n     Systems Development Lifecycle        00-3           X\n\n\n    Problem Resolution Reporting          00-4                       X\n\x0c'